NIS2 incident reporting: 24h/72h deadlines and complete process

Introduction

Starting October 2026, cybersecurity incident reporting becomes mandatory for all NIS2 entities in Romania. Failure to meet deadlines can result in severe sanctions. This guide explains the requirements, timelines, and reporting process.

What Constitutes a "Significant Incident"?

Not every security incident must be reported to DNSC (National Cyber Security Directorate). An incident is considered significant if:

Significance Criteria:

1. Severe Operational Impact

   • Causes or may cause serious service disruptions
   • Affects availability, integrity, or confidentiality of data

2. Substantial Financial Impact

   • Significant direct or indirect losses
   • Considerable remediation costs

3. Impact on Third Parties

   • Affects other providers or customers
   • Has potential cross-border impact

4. Specific Incident Types:

   • Unauthorized access to critical systems
   • Ransomware or other malware with operational impact
   • Sensitive data breaches
   • DDoS attacks affecting services
   • Supply chain compromise

Reporting Deadlines

Initial Alert (Early Warning): 24 Hours

What must be reported:

• The fact that a significant incident has occurred
• Initial available information
• Whether malicious causes are suspected
• Whether it may have cross-border impact

When the countdown starts:

• From the moment the organization becomes aware of the incident
• Not from technical discovery, but from management-level awareness

Complete Notification: 72 Hours

What must be reported:

• Initial assessment of the incident
• Severity and impact
• Indicators of compromise (IoC)
• Remediation measures taken or planned

Interim Report: Upon DNSC Request

When requested:

• For ongoing incidents
• When the situation evolves significantly
• When clarifications are needed

Final Report: 30 Days (or Upon Incident Closure)

What must be included:

• Detailed incident description
• Threat type or root cause
• Remediation measures applied
• Cross-border impact (if any)
• Lessons learned and preventive measures

Incident Report Structure

Section 1: Identification

• Detection date and time
• Who detected the incident
• Affected systems
• Initial impact assessment

Section 2: Technical Description

• Attack vector (if known)
• Indicators of compromise (IPs, hashes, domains)
• Affected systems and services
• Potentially compromised data

Section 3: Impact

• Operational impact (which services are affected)
• Financial impact (estimate)
• Impact on third parties
• Potential cross-border impact

Section 4: Actions

• Containment measures taken
• Eradication measures
• Recovery measures
• Communication to affected parties

Section 5: Conclusions (Final Report Only)

• Identified root cause
• Lessons learned
• Preventive measures implemented

How NIS2 Manager Helps

Incident Management Module

1. Quick Registration

   • Structured form for capturing information
   • Automatic deadline calculation (24h, 72h, 30 days)
   • Severity classification (Low/Medium/High/Critical)

2. Guided Workflow

   • Status tracking: Detected → Under Investigation → Reported → Resolved
   • Automatic reminders before deadlines
   • Checklist for mandatory information

3. Report Generation

   • PDF export in DNSC-accepted format
   • Templates for initial alert, complete notification, final report
   • Complete incident history

4. Monitoring Dashboard

   • Active incidents visualization
   • Approaching deadlines
   • Statistics and trends

Best Practices for Reporting

1. Prepare in Advance

• Define the Incident Response Team (IRT)
• Establish clear escalation procedures
• Document communication channels
• Test the process periodically

2. Rapid Detection

• Implement SIEM or monitoring solutions
• Establish baselines for normal behavior
• Automate alerts for anomalies
• Train staff to recognize incidents

3. Document from the First Moment

• Record all actions with timestamps
• Preserve logs from affected systems
• Document decisions made and why
• Don't delete evidence in the rush to remediate

4. Communicate Proactively

• Report sooner rather than later
• Better to report and revoke than to delay
• Update DNSC if the situation evolves
• Maintain an open line of communication

What Happens After Reporting?

Possible DNSC Actions:

1. Receipt Confirmation - Within 24 hours
2. Request for Additional Information - If necessary
3. Technical Assistance - For serious incidents
4. Coordination - With CERT-RO or other authorities
5. Public Communication - For incidents with broad impact (with your consent on certain details)

Cooperation with Authorities:

• Respond promptly to requests
• Provide access to technical information if requested
• Coordinate public communication
• Implement recommendations received

Sanctions for Non-Reporting

Failure to meet reporting obligations can result in:

• Administrative fines according to the NIS2 regime
• Additional sanctions for obstruction
• Liability for damages caused to uninformed third parties
• Reputational impact - Publication of violations

Conclusion

Incident reporting should not be seen as bureaucratic burden, but as an integral part of cybersecurity. A well-established detection and reporting system protects both the organization and the broader ecosystem.

NIS2 Manager provides the tools needed to manage the entire incident lifecycle, from detection to final report.

Start configuring the incident module

NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies.